Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

possible buffer overrun in Curl_infof #9149

Closed
yiyuaner opened this issue Jul 13, 2022 · 1 comment
Closed

possible buffer overrun in Curl_infof #9149

yiyuaner opened this issue Jul 13, 2022 · 1 comment
Assignees
@bagder

Comments

@yiyuaner
Copy link

In the file lib/sendf.c, the function Curl_infof has the following code:

void Curl_infof(struct Curl_easy *data, const char *fmt, ...) {
    ...
    size_t len;
    char buffer[MAXINFO + 2];
    len = mvsnprintf(buffer, MAXINFO, fmt, ap);
    buffer[len++] = '\n';
}

Since the function mvsnprintf may return -1 (see the code here), the following buffer access buffer[len++] can trigger a buffer overrun.

Similarly, the code for Curl_failf may trigger buffer overrun too:

void Curl_failf(struct Curl_easy *data, const char *fmt, ...) {
    size_t len;
    char error[CURL_ERROR_SIZE + 2];
    len = mvsnprintf(error, CURL_ERROR_SIZE, fmt, ap);
    error[len++] = '\n';
}
@bagder
Copy link
Member

bagder commented Jul 13, 2022

It is indeed an error, but luckily I think dprintf_formatf never actually returns -1 inside libcurl so this error never happens. Should still fix of course.

@bagder bagder self-assigned this Jul 13, 2022
@bagder bagder changed the title [Bug] Buffer overrun in Curl_infof possible buffer overrun in Curl_infof Jul 13, 2022
bagder added a commit that referenced this issue Jul 13, 2022
@bagder
mprintf: make dprintf_formatf never return negative
2b0e142 
This function no longer returns a negative value if the formatting
string is bad since the return value would sometimes be propagated as a
return code from the mprintf* functions and they are documented to
return the length of the output. Which cannot be negative.

Fixes #9149
Reported-by: yiyuaner on github
@bagder bagder mentioned this issue Jul 13, 2022
Closed
@bagder bagder closed this as completed in 0e48ac1 Jul 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

mprintf: make dprintf_formatf never return negative curl/curl
2 participants
@bagder @yiyuaner